Event Log Managment

Logs .. Logs and More Logs

Tracking down ZeroAccess botnet

Normally I focus on the Windows Event Log, but today I’m going to stray into the world of firewall logs.  Over the last several months I’ve been helping customers with Proof of Concepts for LogRhythm and one the things that I have found with several of my customers has been the ZeroAccess botnet.  It’s actually very easy to track down.  One of the rules that the LogRhythm Labs has setup and comes out of the box is focused on finding any ZeroAccess bots, see fig 1.

ZeroAccess AIE Rule

Fig 1.

ZeroAccess is a peer-to-peer botnet operating over ports 16464, 16465, 16470, or 16471.  Each infected host maintains a list of 256 peers that it attempts to connect to over these ports.  Once communications are established payloads and instructions are transferred through the peers.

A simple Unique Values AIE rule was configured that looked for network connections on the appropriate ports, originating from a single host and trying to communicate with 100 or more unique hosts.  Since each infected host attempts to connect to 256 peers, 100 unique hosts was a good number, as it minimizes false positives that might be generated should a host attempt legitimate communications over any of those ports.

http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf

http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf)

Advertisements

October 29, 2013 - Posted by | Audting, Hacking, ZeroAccess

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: